Bug 1380706
| Summary: | JBoss ON user's roles do not match LDAP mapping if user is logged in using JBoss ON CLI | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Operations Network | Reporter: | bkramer <bkramer> |
| Component: | Security | Assignee: | Simeon Pinder <spinder> |
| Status: | CLOSED ERRATA | QA Contact: | Filip Brychta <fbrychta> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | JON 3.3.6 | CC: | fbrychta, hhovsepy, loleary, spinder |
| Target Milestone: | CR02 | Keywords: | Triaged |
| Target Release: | JON 3.3.10 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-16 03:16:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1380709 | ||
| Bug Blocks: | |||
Moving to ON_QA. JON 3.3.10 CR01 artifacts are available for test from here: http://download.eng.bos.redhat.com/brewroot/packages/org.jboss.on-jboss-on-parent/3.3.0.GA/166/maven/org/jboss/on/jon-server-patch/3.3.0.GA/jon-server-patch-3.3.0.GA.zip *Note: jon-server-patch-3.3.0.GA.zip maps to CR01 build of jon-server-3.3.0.GA-update-10.zip. Triage: Larry, Simeon, Filip: Because of time pressure and REST API issues which are still visible, this BZ will address only CLI issues. Fix for REST will be tracked in new bz targeted for JON 3.3.11 Moving to ON_QA. JON 3.3.10 CR02 artifacts are available for test from here: http://download.eng.bos.redhat.com/brewroot/packages/org.jboss.on-jboss-on-parent/3.3.0.GA/169/maven/org/jboss/on/jon-server-patch/3.3.0.GA/jon-server-patch-3.3.0.GA.zip *Note: jon-server-patch-3.3.0.GA.zip maps to CR02 build of jon-server-3.3.0.GA-update-10.zip. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0325 |
Description of problem: The user's roles should match the LDAP mapping regardless of how users are logged in. This is the case with user logged in using JBoss ON UI. However, if the user is logged in using JBoss ON CLI or REST API this will not be the case. Version-Release number of selected component (if applicable): JBoss ON 3.3.6 How reproducible: Always Steps to Reproduce: 1. Create LDAP user (for instance: myTest) that does not belong to JON LDAP Group but belongs to some other LDAP groups; 2. In JBoss ON UI, logged in as "rhqadmin" user, change "All Resources" role to include JON LDAP Group (JON UI -> Administration -> Roles -> LDAP Group); 3. Also, add newly created LDAP user to "All Resources" role (JON UI -> Administration -> Roles -> Users; 4. Save the changes and log out; 5. Using newly created LDAP user and JBoss ON CLI log in to JBoss ON and try something like: ****************************************** myTest@localhost:7080$ var criteria = ResourceCriteria(); myTest@localhost:7080$ criteria.clearPaging(); myTest@localhost:7080$ criteria.addFilterPluginName("JBossAS7"); myTest@localhost:7080$ criteria.addFilterResourceTypeName('JBossAS7 Standalone Server'); myTest@localhost:7080$ var resources = ResourceManager.findResourcesByCriteria(criteria); myTest@localhost:7080$ resources.size(); 2 ****************************************** 6. Confirm that LDAP user can see resources; 7. Using the same user (myTest) try to log in to JBoss ON UI; 8. Confirm that this user (myTest) does not have permission to see any of the resources; Actual results: JBoss ON user's roles match LDAP mapping only when user is logged in through JBoss ON UI; For users logged in via JBoss ON CLI or REST API this is not a case. Expected results: JBoss ON user's roles have to match LDAP mapping regardless of how user's are logged in. Additional info: